FAQ
FAQ’s
Do we support HITRUST certification? What is the audit price?

Do we support HITRUST certification? What is the audit price?

Yes, we support HITRUST certification with our partner Barr Advisory.

Barr Advisory is a cybersecurity and compliance consulting firm. Once you conduct HITRUST risk assessments, develop policies and procedures, and execute relevant security controls, Barr Advisory will help you with the audit process along with Sprinto.

HITRUST offers several types of certifications. There are two primary certifications or assessments – HITRUST CSF Implemented, 1-year (i1) Assessment and HITRUST CSF Risk-based, 2-year (r2) Assessment.

1. HITRUST CSF Implemented, 1-year (i1) Assessment

1-Year (i1) certification is designed to provide organizations with a structured process for basic security controls. There are a total of 182 security controls in the i1 certification focused on core security requirements. It is more suited for low-risk industries like:

  • Small to mid-sized healthcare providers
  • Financial services firms with limited scope
  • Technology startups

The total cost of obtaining HITRUST i1 certification typically ranges from $60,000 to $70,000. This includes the cost of the validated assessment conducted by an external assessor, the certification fee charged by HITRUST, and the cost of the MyCSF (My Cyber Security Framework) platform, which is used to manage the assessment and certification process.

2. HITRUST CSK Risk-based, 2-year (r2) Assessment

The HITRUST Risk-based, 2-Year (r2) certification is more comprehensive, covering 750+ security controls. This certification is more suited for organizations in high-risk industries or those dealing with huge amounts of sensitive data, such as:

  • Large healthcare organizations
  • Financial institutions with complex operations
  • Global technology companies
  • Pharmaceutical firms

The total cost of achieving HITRUST r2 certification generally falls between $100,000 and $120,000. This cost covers the validated assessment by an external assessor, HITRUST’s certification fee, and the MyCSF platform expenses.

While the i1 certification is a more cost-effective option for businesses requiring foundational security assurance, the r2 certification allows for a higher level of security infrastructure. It is a significant investment especially for organizations that deal with extensive regulatory requirements and function in high-risk data environments.

Was this article helpful?

How can we improve this article?

Related questions

  • Which is the latest version of the PCI DSS compliance?
  • What is the current version of ISO 27001?
  • What is PCI DSS compliance verification?
  • What are PCI DSS compliance milestones?
  • What are the three steps of PCI compliance?
  • What are the functions of PCI?
  • How often must PCI DSS compliance be validated?
  • What is required for PCI DSS compliance?
  • How to reduce PCI DSS cost?
  • Does ISO 27001 require MFA?

Found this useful?

Get SOC 2 compliance
ready in 4 weeks!

Try Sprinto

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.

Contact sales